The discovered vulnerability affects the mobile applications of Hyundai and its luxury brand Genesis, which owners use to track the status of their cars, schedule maintenance, unlock doors and start the engine. According to Sam Curry, the hacker and bug hunter who discovered the vulnerability, the mobile apps for Hyundai and Genesis vehicles only provide functionality to authorized users. However, Sam and his team found that the server did not require users to verify their email address. In addition, it turned out that authorization can be bypassed by adding CRLF characters to the end of the victim's address during the creation of a new account. Thus, it is possible to create a new account in the application with an already existing email address.
The new account was given a JSON web token (JWT) that matches the real email address, allowing the hacker to access the victim's app account and then the car.
To test the exploit, the researchers ran an experiment on one of their vehicles. And it worked - Sam's team was able to unlock the car using a new account linked to the victim's modified email address.
The researchers even wrote a Python script that allows them to take control of a car, requiring only the victim's email address from a potential car thief.
But there is also good news. The researchers reported the vulnerability to Hyundai, and according to Curry, it has been patched.
Comments 0